Permissions

Two questions, for both your pages and your data: who can view it, and who can change it. Quickish picks safe answers by default, and you can override them.

The defaults: a page is editable only by you, however widely it's shared to view. A collection is readable by your page's audience and writable only by you. So a public page is not a public free-for-all — visitors can read, but nothing changes unless you allow it.

The vocabulary

Both pages and collections describe access using the same principals — kinds of people, relative to the page:

Principal	Who it means
`owner`	You — whoever published the page (plus anyone you name as an admin).
`audience`	Whoever can already view the page (public → everyone, company → your domain, invited → the people you listed).
`author`	The person who created a particular record. Used for "edit only your own".
`users`	Anyone signed in (with any Google account).
`workspace`	People at your company (same email domain).
`public`	Anyone at all, signed in or not.

Who can edit a page

Editing a page means re-publishing over it. By default that's owner only — even a company-visible or fully public page can only be changed by you. Open it up when you want collaborators:

Edit policy	Who can re-publish
`--edit-policy owner`	Only you. default
`--editors a@co.com,b@co.com`	You and the people you list.
`--edit-policy workspace`	Anyone at your company domain.

This is independent of who can view the page: a page can be --public to read and owner to edit (the default), or public to read and --editors to edit. Re-publishing never changes who owns a page — adding editors lets people update it, not take it over.

Who can use a collection

A collection gets a policy when you declare it, with one rule per operation. Each rule is a principal, or a list (allowed if you match any). write is shorthand for create + update + delete.

// the defaults, written out — you rarely need to:
quick.db.collection("notes", {
  read:   "audience",   // anyone who can see the page
  create: "owner",      // only you can add
  update: "owner",
  delete: "owner",
});

Common shapes:

Policy	Behaviour
`{ read:"audience", write:"owner" }`	Everyone reads, only you write. Blog posts, a changelog, a menu.
`{ read:"audience", create:"users", update:"author", delete:["author","owner"] }`	Signed-in visitors add; each edits only their own; you can moderate. Comments, a wall.
`{ read:"author", write:"author" }`	Everyone sees and edits only their own rows. Per-person to-dos, drafts.
`{ read:"audience", write:"audience" }`	Anyone who can view may write. A classic open guestbook (opt in deliberately).

admins lets you name extra people who count as owner for moderation:

quick.db.collection("comments", {
  read: "audience", create: "users", update: "author",
  delete: ["author", "owner"],
  admins: ["editor@acme.com"],   // can delete anyone's comment
});

A blog, end to end

Posts only you write; comments anyone signed in can leave, editable only by their author, deletable by author or you:

const posts = quick.db.collection("posts", { read: "audience", write: "owner" });
const comments = quick.db.collection("comments", {
  read: "audience", create: "users",
  update: "author", delete: ["author", "owner"],
});

A read returns a _mine flag on each record (true when you authored it) so your page can show "edit"/"delete" only where they'll work — without exposing anyone's email.

A note on trust: "only the author can edit" and "only the owner can edit the page" are boundaries Quickish enforces — but since you control your page's code, you can always rewrite its rules. They protect your data from visitors, not from yourself. Treat them as intent, not a vault.